Pier Fumagalli wrote:
On 9/12/02 23:06 "Jeanfrancois Arcand" <[EMAIL PROTECTED]> wrote:Not sure is the real reason. We were doing a Security Audit during that time and as a community, we where trying to find a better list to declare possible security issues and fix them before the public is informed.
Pier Fumagalli wrote:
On 9/12/02 17:14 "Jeanfrancois Arcand" <[EMAIL PROTECTED]> wrote:Can you give me an example of a security hole? I would be interested to
Youy don't need to learn JSP/Admin Tool if you don't use it. The actualAs I said 6 or so months ago... That "thing" is a security hole as big as
Tomcat installation doesn't require you to learn the Admin Tool or JSP....
fix those holes....
They come up every now and then... That's why Costin wanted that all-private for your eyes only noone who is not cross checked with the FBI gets in security mailing list, right?...
Want a list of the past ones? http://search.cert.org/query.html?col=certadv&col=incnotes&col=vulnotes&ht=0 &qp=&qt=tomcat&qs=&qc=&pw=100%25&ws=1&la=en&qm=0&st=1&nh=25&lk=1&rf=2&rq=0&s i=1 (err, page 1 out of 24)...
;-)
the Empire State Building... As most of the stuff that make up "tomcat"...Yes, you are right (think about Windoses). Is the reason to have an only
We have some bugs in JSR-154, few in Jasper, few in JSSI, few in CGI... All
together it makes a ****load of em...
154 distribution is security? That a very different story...
For me it is... For others it might be a different reason... I joined Apache because of a friend, you because of your employer... SO? Reasons are different, outcome is the same...
Yep. That why we are trying to reach concensus.
Did I say that every software are secure? Your are right and I will not argument at all. But from your previous posting, I was under the impression you were aware of security holes....
If someone can come up with a Servlet-only distribution, at least I won'tTrue. But if Jasper/AdminTool/etc. are secure, then that doesn't that no
get holes from all the other (totally useless) components...
a good reason IMO.
Ehemm... With 24 pages of vulnerability notes? Ha.. Hahaha.... Hahahaha! :-) Rule of the thumb #1... Not even public class Main public static void Main(String argv[]) { System.out.println("This program doesn't have a bug"); } } Doesn't have a bug, allright? Because to execute that little statement my proc actually does some bazillion operations, and god knows how many INC, ADD, SUB and MUL my proc does to get that out... So, rule of the thumb #2. No software ever written is _ever_ secure (Just consider that the Boeing 777 "software" - which is the most secure OS on this planet as far as research goes - Has only one bug every 180.000 lines of code)...
I never say that and I will never says that. But I least I have try during the Security Audit to fix some of the obvious one. Still Tomcat is probably not enough secure (and will never be). My point is if you are aware of such obvious one, then let me know and I will fix them. But I don't think Tomcat is more secure without JSP.... I know, I know, what I think you don't care :-)Now, don't tell me that ALL that collection of cruft doesn't have a bug... It's just that we are lucky and noone found them yet (given enough eyes... Linus says)...
Wow, didn't know that... I've missed the chance to work with you :-) I should studies my Tomcat history and learn who is doing what, what biases he/she have, and then vote appropriatly.To sum up: rule of the thumb #3, less code, less bugs (you folks from Sun preach that all over your Solaris Blueprints stuff, I learnt it when your employer was paying my salary).
I agree my wording was not appropriate. Should say that in french next time :-)
So, please, donšt come up on a mailing list saying "that is secure", just
say that "noone has found a bug yet", because that (and only that) is the
truth...
-- Jeanfrancois
Pier
--
To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
